[midPoint] UserTemplate - Role Assignment based on Org Assignment Property
Ivan Noris
ivan.noris at evolveum.com
Tue Nov 22 14:06:51 CET 2016
Hi Martin,
could you please try with midPoint built from git branch named support-3.4?
Thanks,
Ivan
On 11/21/2016 03:48 PM, Martin Marchese wrote:
> Ivan,
>
> We run the same test within a 3.4.1 environment and within a
> 3.5-SNAPSHOT one. Same objects. It worked OK in 3.5-SNAPSHOT but
> again, it did not work in 3.4.1.
>
> Any package logging you recommend to enable in order to debug this?
>
> The following are our objects:
>
> Student Role:
> -------------------
>
> <role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> oid="00000000-0000-1de4-0004-000000000010">
> <name>STUDENT</name>
> </role>
>
> Teacher Role:
> -------------------
>
> <role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> oid="00000000-0000-1de4-0004-000000000011">
> <name>TEACHER</name>
> </role>
>
> MetaRole:
> --------------
>
> <role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> oid="00000000-0000-1de4-0004-000000000099">
> <name>META_ROL</name>
> <inducement id="1">
> <targetRef oid="00000000-0000-1de4-0004-000000000010"
> type="c:RoleType">STUDENT</targetRef>
> <order>2</order>
> <focusType>UserType</focusType>
> <condition>
> <source>
> <c:path>$focusAssignment/extension/metaRelation</c:path>
> </source>
> <expression>
> <script>
> <code>metaRelation == 'STUDENT'</code>
> </script>
> </expression>
> </condition>
> </inducement>
> <inducement id="2">
> <targetRef oid="00000000-0000-1de4-0004-000000000011"
> type="c:RoleType"></targetRef>
> <order>2</order>
> <focusType>UserType</focusType>
> <condition>
> <source>
> <c:path>$focusAssignment/extension/metaRelation</c:path>
> </source>
> <expression>
> <script>
> <code>metaRelation == 'TEACHER'</code>
> </script>
> </expression>
> </condition>
> </inducement>
> </role>
>
> Org:
> ------
>
> <org xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> oid="00000000-0000-1de4-0010-000000000001">
> <name>ORG21</name>
> <assignment id="1">
> <targetRef oid="00000000-0000-1de4-0004-000000000099"
> type="c:RoleType"></targetRef>
> </assignment>
> </org>
>
>
> Org Assignment to User:
> -----------------------------------
>
> <assignment id="1">
> <extension
> xmlns:icfcassig="http://midpoint.identicum.com/xml/ns/metaAssignment">
> <icfcassig:metaRelation>STUDENT</icfcassig:metaRelation>
> </extension>
> <targetRef oid="00000000-0000-1de4-0010-000000000001"
> type="c:OrgType"><!-- ORG1 --></targetRef>
> </assignment>
>
> Thanks in Advance
>
> *Ing. Martín Marchese*
> Identicum S.A.
> Jorge Newbery 3226
> Tel: +54 (11) 4552-3050
> mmarchese at identicum.com <mailto:mmarchese at identicum.com>
> www.identicum.com <http://www.identicum.com>
>
> On Sat, Nov 19, 2016 at 8:52 AM, Ivan Noris <Ivan.Noris at evolveum.com
> <mailto:Ivan.Noris at evolveum.com>> wrote:
>
> Hi Martin,
>
> that's a surprise for me, because I'm not using master but
> 3.4-based branch... and the main logic is similar to what I'm
> using, even in older versions...
>
> It just didn't work or there were some errors displayed/logged?
> Maybe the developers would know according to that behaviour.
>
> Regards,
> Ivan
>
> ------------------------------------------------------------------------
>
> *From: *"Martin Marchese" <mmarchese at identicum.com
> <mailto:mmarchese at identicum.com>>
> *To: *"midPoint General Discussion"
> <midpoint at lists.evolveum.com <mailto:midpoint at lists.evolveum.com>>
> *Sent: *Friday, November 18, 2016 11:20:18 PM
> *Subject: *Re: [midPoint] UserTemplate - Role Assignment based
> on Org Assignment Property
>
>
> Thanks Ivan that worked like charm! And it's a very nice
> solution!
>
> However, just to let you know, it worked only on MidPoint 3.5
> snapshot, we tested that in 3.4.1 with no luck.
>
> Regards
>
> *Ing. Martín Marchese*
> Identicum S.A.
> Jorge Newbery 3226
> Tel: +54 (11) 4552-3050
> mmarchese at identicum.com <mailto:mmarchese at identicum.com>
> www.identicum.com <http://www.identicum.com>
>
> On Fri, Nov 18, 2016 at 4:19 PM, Ivan Noris
> <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>> wrote:
>
> Hi,
>
> there might be a way how to do this in object template,
> but it could be complicated.
>
> I would probably try metarole instead:
>
> 1. all organizations should have a metarole assigned (not
> induced)
>
> 2. roles STUDENT and TEACHER will be defined by you to do
> whatever needed for users
>
> 3. the metarole would have two order=2 inducements for
> users which have the organization assigned. One of the
> inducement would induce the STUDENT role if the assignment
> parameter metaRelation for "this" organization is STUDENT.
> The other would assign the TEACHER role if the assignment
> parameter for "this" organization is TEACHER. The
> inducements would be indirect, i.e. you would not see the
> STUDENT/TEACHER role assigned in user's Assignments tab
> *(this may or may not be a problem for you)*.
>
> Technically it would mean that one person with 20
> organizations assigned as TEACHER would end with 20
> assignments of the same role TEACHER, but I believe that
> midPoint will "normalize" this and only one role TEACHER
> would be assigned in real.
>
> The metarole should look similar to this (untested):
>
> <role ...>
>
> <name>Teacher/Student Org Metarole</name>
>
> <inducement>
> <targetRef
> oid="00000000-dc00-dc00-0004-000000000078"
> type="c:RoleType"><!-- STUDENT --></targetRef>
>
> <condition>
> <source>
>
> <path>$focusAssignment/xyz:metaRelation</path><!-- xyz is
> your namespace -->
> </source>
> <expression>
> <script>
> <code>metaRelation == 'STUDENT'</code>
> </script>
> </expression>
> </condition>
>
> <focusType>c:UserType</focusType><!-- to apply only
> to users even if organization is assigned to another
> organization -->
>
> <order>2</order><!-- to apply to users which have
> the organization assigned -->
>
> </inducement>
>
> <inducement>
> <targetRef
> oid="00000000-dc00-dc00-0004-000000000111"
> type="c:RoleType"><!-- TEACHER --></targetRef>
>
> <condition>
> <source>
>
> <path>$focusAssignment/xyz:metaRelation</path><!-- xyz
> your namespace -->
> </source>
> <expression>
> <script>
> <code>metaRelation == 'TEACHER'</code>
> </script>
> </expression>
> </condition>
>
> <focusType>c:UserType</focusType>
>
> <order>2</order>
>
> </inducement>
> </role>
>
> I hope I'm correct. I have done similar stuff, but not
> this specific one.
>
> Regards,
>
> Ivan
>
> On 11/18/2016 06:44 PM, Martin Marchese wrote:
>
> Hi Ivan thanks for your answer,
>
> Yes that's correct, they should be assigned without
> any parameters based on the org assignment types.
>
> Regards
>
> *Ing. Martín Marchese*
> Identicum S.A.
> Jorge Newbery 3226
> Tel: +54 (11) 4552-3050
> mmarchese at identicum.com <mailto:mmarchese at identicum.com>
> www.identicum.com <http://www.identicum.com>
>
> On Fri, Nov 18, 2016 at 12:34 PM, Ivan Noris
> <ivan.noris at evolveum.com
> <mailto:ivan.noris at evolveum.com>> wrote:
>
> Hi Martin,
>
> the STUDENT and TEACHER roles are "static" in
> means of assignment parameters? They are (should
> be) just assigned without any parameters whenever
> used has any org with STUDENT-type assignment or
> any role with TEACHER-type assignment?
>
>
> Ivan
>
>
> On 11/16/2016 08:37 PM, Martin Marchese wrote:
>
> Hi All,
>
> We had our AssignmentType extended with a
> "metaRelation" extension property.
>
> Users are assigned to an OrgType
>
> Our OrgType represent schools and within this
> "metaRelation" property, we store wether the
> assigned user is a STUDENT or a TEACHER.
>
> Besides, we have 2 Roles (STUDENT and TEACHER
> roles).
>
> We would like to use our user template to
> assign the corresponding role to the user
> based on shich "metaRelation" it has within
> the Org.
>
> Users could be STUDENT and/or TEACHER on more
> than one Org, so while the user has at least
> one of this assignments, it needs to have the
> corresponding role assigned.
>
> We are thinking if there's a way to query the
> user Org assignments within the template and
> use it as source for the target role assignment.
>
> Is this the best/correct way to do it? Do you
> recommend any other way?
>
> Thanks in Advance
> Regards,
>
> *Ing. Martín Marchese*
> Identicum S.A.
> Jorge Newbery 3226
> Tel: +54 (11) 4552-3050
> mmarchese at identicum.com
> <mailto:mmarchese at identicum.com>
> www.identicum.com <http://www.identicum.com>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> <mailto:midPoint at lists.evolveum.com>
> http://lists.evolveum.com/mailman/listinfo/midpoint
> <http://lists.evolveum.com/mailman/listinfo/midpoint>
>
> --
> Ivan Noris
> Senior Identity Engineer
> evolveum.com <http://evolveum.com>
>
> _______________________________________________
> midPoint mailing list midPoint at lists.evolveum.com
> <mailto:midPoint at lists.evolveum.com>
> http://lists.evolveum.com/mailman/listinfo/midpoint
> <http://lists.evolveum.com/mailman/listinfo/midpoint>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> <mailto:midPoint at lists.evolveum.com>
> http://lists.evolveum.com/mailman/listinfo/midpoint
> <http://lists.evolveum.com/mailman/listinfo/midpoint>
>
> --
> Ivan Noris
> Senior Identity Engineer
> evolveum.com <http://evolveum.com>
>
> _______________________________________________ midPoint
> mailing list midPoint at lists.evolveum.com
> <mailto:midPoint at lists.evolveum.com>
> http://lists.evolveum.com/mailman/listinfo/midpoint
> <http://lists.evolveum.com/mailman/listinfo/midpoint>
>
> _______________________________________________ midPoint
> mailing list midPoint at lists.evolveum.com
> <mailto:midPoint at lists.evolveum.com>
> http://lists.evolveum.com/mailman/listinfo/midpoint
> <http://lists.evolveum.com/mailman/listinfo/midpoint>
>
> --
> Ivan Noris Senior Identity Engineer evolveum.com <http://evolveum.com>
> _______________________________________________ midPoint mailing
> list midPoint at lists.evolveum.com
> <mailto:midPoint at lists.evolveum.com>
> http://lists.evolveum.com/mailman/listinfo/midpoint
> <http://lists.evolveum.com/mailman/listinfo/midpoint>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ivan Noris
Senior Identity Engineer
evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161122/40718eae/attachment.htm>
More information about the midPoint
mailing list